2015 Governance, Risk Management and Compliance Trends and Predictions
Cybersecurity has come to the White House.
President Obama apparently plans to present some detailed security-related initiatives during his State of the Union address next week. As a serious State of the Union watcher, I recall cybersecurity being addressed in the past, but it seems like for the first time, there are serious calls to action.
In the not so distant past, cybersecurity wasn’t something the average American cared about. Yes, it is a pain when a store or bank is breached and you have to get a new credit card, but beyond that, it is really hard to get people to take security more seriously. I know this because I’ve gotten my share of apathetic shrugs when I talk about security with my friends and encourage behaviors like more secure passwords and securing their phones. Security was always someone else’s problem.
But in 2014, cybersecurity became a problem too big to ignore. Weekly, the general public was reminded of the latest major retail breach or the latest financial institution to be hacked, and maybe the final straws were the iCloud and Sony problems. When the chance arises that our private photographs could be stolen or we aren’t able to see a movie of questionable taste, well, then we care.
Specifically, Obama plans to address issues like student privacy through the proposed Student Digital Privacy Act which, according to ABC News:
… would prohibit companies from selling student data to third parties, a move spurred by the increased use of technology in schools that can scoop up personal information.
Another important initiative is the Personal Data Notification & Protection Act, requiring companies to notify consumers of a breach within 30 days.
These, and other proposals that Obama will discuss next week, are a step in the right direction toward improving the entire culture of cybersecurity. Kevin Jones, senior information security architect with Thycotic, told me in an email that he sees the Personal Data Notification & Protection Act as an improvement over current regulations:
What we have now is a mix of state-level laws and territories having their own rules, and industry regulations regarding disclosure, such as HIPAA for health care and GLBA for financial institutions. As more data is digitized by companies, rules must be expanded to other industries to protect consumers. By federally passing a law, we will have a canonical law that applies to all organizations, and consumers will know what to expect. Right now, it isn’t clear to most people what laws are in place to protect their personally identifiable information (PII) and data.
While it would be nice to have a uniform notification law, as opposed to the patchwork, state-by-state system set up now, we have to remember that these initiatives are just proposals until Congress decides to act.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba
